Module 7
SY0-701 exam training
Purpose
After this module, you should be able to not only know the material, but also solve exam questions.
Security+ often checks:
- do you understand the scenario
- can you distinguish the correct answer from the best one
- can you match the control to the risk
- do you know the sequence of actions
- do you confuse similar concepts
- whether you can act practically in a simulation task.
CompTIA describes performance-based questions as tasks that test problem solving in realistic settings; may be in the form of an environment simulation or a tool, e.g. a firewall, network diagram, terminal or operating system. CompTIA also states that Security+ is part of the PBQ simulation certification.
1. How to read script questions
Problem
Many people know the definitions but lose points because they answer too quickly. Security+ often gives you several answers that are partially true. You need to choose the best answer for a given scenario.
Mechanism
Read the question in this order:
- First the last sentence of the question
- See what they are really asking about: "best next step", "most likely attack", "best mitigation", "first action", "primary purpose".
- Then the script
- Look for facts: who, what, where, when, what symptom, what resource, what limitation.
- Identify the domain
- Is it a question about attack, architecture, operations, IAM, risk, compliance?
- Delete absurd answers
- Often 1-2 options are eliminated right away.
- Compare technically correct answers
- Choose the one that best fits the problem and sequence of actions.
- Example
Scenario
EDR detected a suspicious process on a laptop that communicates with the command and control domain. What should the analyst do first?
Possible answers:
- A. Do the lessons learned.
- B. Isolate the host.
- C. Update the security policy.
- D. Conduct an annual audit.
Best answer: B. Isolate the host.
Why:
This is an active incident. First you need to limit the effects, i.e. perform containment. Lessons learned comes later. Audit and policy may be important, but they are not the first action.
2. The most common exam pitfalls
Trap How to avoid it
Confusing first and best "First" refers to the order, "best" to the best match.
Choosing the Most Expensive Technology The exam asks about fit, not the most advanced tool.
Confusing detection with prevention SIEM detects, MFA prevents account takeover after password leakage.
Confusing remediation with mitigation Remediation removes the problem, mitigation reduces the risk.
Confusing RTO with RPO RTO = recovery time, RPO = amount of data lost measured in time.
Confusing SAML with OAuth SAML often federated SSO, OAuth delegated authorization.
Considering an Alert an Incident Alert requires triage and context.
Skipping the process Change management, risk acceptance and chain of custody are often a better answer than a tool.
3. PBQ strategy
Problem
PBQs are stressful because they look different than regular questions. They may require matching elements, setting rules, analyzing a diagram, or performing logical configuration.
Principle of operation
In PBQ, don't try to "click everything." Treat the task as an operational scenario.
Order:
- Read the goal.
- Identify the resource and the problem.
- List the limitations.
- Determine whether it is network, IAM, logs, architecture, risk or incident response.
- Perform the minimum correct configuration.
- Check if you have not added too wide access.
- Leave time to return if the exam platform allows it.
CompTIA indicates that with simulation PBQs you can skip them and come back later, but with virtual PBQs this is not always possible; CompTIA also states that scoring can take into account various possible approaches and partial points.
4. PBQ training - word problems
These are original training tasks, not questions from a real exam.
PBQ 1: Firewall rules for a web application
Scenario
The company has a web application:
- Internet users are to have access to the application via HTTPS
- the application server is to communicate with the database
- Internet users cannot connect directly to the database
- administrators are to manage servers only via jump server
- logs are to be sent to SIEM.
- Task
Match Motion:
- Source Goal Motion Decision
- Internet WAF / HTTPS web application 443 ?
- Internet Database DB port ?
- Application Server Database DB port ?
- Administrator Production server SSH/RDP directly?
- Administrator Jump server SSH/RDP/VPN ?
- SIEM servers Log forwarding?
- Answer
- Source Goal Motion Decision
- Internet WAF / web application HTTPS 443 Allow
- Internet Database DB port Deny
- Application Server Database DB port Allow
- Administrator SSH/RDP production server directly Deny
- Administrator Jump server SSH/RDP/VPN Allow, preferably with MFA
- SIEM servers Log forwarding Allow
Most important logic:
You don't open the database to the Internet. You centralize administration via a jump server. Logs must flow to the SIEM.
PBQ 2: Incident response - ransomware
Scenario
EDR detects mass file changes on a user's laptop. The network share contains files with new extensions. The laptop is communicating with an unknown domain.
Task
Put the actions in the right order:
- A. Lessons learned
- B. Host isolation
- C. Recovery from backup
- D. Analysis of the scope of infection
- E. Removing the malware and closing the entry vector
- F. Detection by EDR and user reporting
Answer
F. Detection by EDR and user reporting
D. Analysis of the scope of infection
B. Host isolation
E. Removing the malware and closing the entry vector
C. Recovery from backup
A. Lessons learned
Exam note:
In many scenarios, containment will be a very early action. Analysis and containment often occur closely together. If the question asks about first action to stop spread, choose isolation.
PBQ 3: Selection of data sources
Scenario
An analyst investigates a possible data leak. The user account downloaded a large number of records from the application and then sent the file to an external email address.
Task
Match your question to the best data source.
Question The best source
| Has the user exported from the application? | ? |
|---|---|
| Has the message left the organization? | ? |
| Did the file contain sensitive data? | ? |
| Was the account logging in unusually? | ? |
| Was the endpoint creating a suspicious archive? | ? |
Answer
Question The best source
| Has the user exported from the application? | Application logs |
|---|---|
| Has the message left the organization? | Email gateway logs |
| Did the file contain sensitive data? | DLP logs |
| Was the account logging in unusually? | IAM/authentication logs |
| Was the endpoint creating a suspicious archive? | EDR/endpoint logs |
Most important logic:
Not every investigation starts with packet capture. You choose the data source for the question.
5. Final test - 30 questions
Question 1
Which control best ensures non-repudiation?
A. Data masking
B. Digital signature
C.Backup
D. DNS filtering
Correct answer: B
Explanation:
A digital signature helps confirm authorship and integrity, supporting non-repudiation.
Question 2
The user has logged in successfully, but has no access to the report. What should be checked?
A. Authentication
B. Authorization
C. DNS poisoning
D. Ombudsman
Correct answer: B
Explanation:
Login confirms your identity. Access to the report depends on authorization.
Question 3
Multiple accounts have one failed login attempt with the same password. What is it most likely?
A. Brute force
B. Password spraying
C.XSS
D. Tailgating
Correct answer: B
Explanation:
Password spraying spreads attempts across multiple accounts.
Question 4
The company wants to protect the web application against SQL injection and XSS. What suits best?
A. WAF
B.UPS
C. Cold site
D.Password vault
Correct answer: A
Explanation:
Web Application Firewall protects web applications against common application attacks. It is not a substitute for code improvement, but is a proper architectural control.
Question 5
RTO means:
- A. Maximum acceptable data loss
- B. Maximum acceptable unavailability time
- C. Vulnerability identifier
- D. List of revoked certificates
Correct answer: B
Question 6
RPO means:
- A. How much data can be lost at most, measured by time
- B. How to fix your system quickly
- C. What is the CVSS score
- D. How often to perform a physical audit
Correct answer: A
Question 7
CVE is used to:
- A. Identification of a known vulnerability
- B. Score the severity of vulnerability
- C. Federated SSO
- D. Data encryption
Correct answer: A
Question 8
CVSS is used for:
- A. Scoring of the severity of susceptibility
- B. Backup
- C. Data tokenization
- D. Supply chain analysis
Correct answer: A
Question 9
An impossible travel SIEM alert should first lead to:
- A. Immediately delete your account
- B. Triage and context checks
- C. Disable all logs
- D. SIEM removal
Correct answer: B
Question 10
Which stage of incident response limits the effects of the incident?
A. Recovery
B. Containment
C. Lessons learned
D. Preparation
Correct answer: B
Question 11
Which step removes the cause of the incident?
A. Eradication
B.Detection
C. Preparation
D. Reporting
Correct answer: A
Question 12
Which mechanism is best to detect unauthorized configuration file change?
A.FIM
B. Ombudsman
C. ALS
D. Steganography
Correct answer: A
Question 13
Which document defines the provider's service level?
A. ALS
B.NDA
C. Ombudsman
D.CVE
Correct answer: A
Question 14
Which document protects the confidentiality of information?
A.NDA
B. MOU
C. MTBF
D. SPF
Correct answer: A
Question 15
The company wants to have the right to audit the supplier. What should she add to the contract?
A. Right-to-audit clause
B. Data masking
C.Packet capture
D. Fail-open
Correct answer: A
Question 16
Which access control model is role-based?
A.RBAC
B.DAC
C. MAC
D. CSRF
Correct answer: A
Question 17
Which access model uses attributes such as location, device, and risk level?
A.ABAC
B.DAC
C. Hashing
D.DLP
Correct answer: A
Question 18
The two passwords used to log in are:
- A.M.F.A
- B. Still one type of agent
- C. Biometrics
- D. Federation
Correct answer: B
Explanation:
Two slogans are still "something you know".
Question 19
The application wants to gain limited access to the user's resource without knowing the user's password. What suits best?
A.OAuth
B. SLE
C. ARP poisoning
D. Cold site
Correct answer: A
Question 20
Federated SSO often uses:
- A. SAML
- B. Ombudsman
- C. DDoS
- D. NAT as an identity mechanism
Correct answer: A
Question 21
Which action best limits the effects of compromising one segment of the network?
A. Segmentation
B. Changing the hostname
C. Disabling logs
D. Increasing the number of administrators
Correct answer: A
Question 22
Which solution is best for a central point of server administration?
A. Jump server
B. Public file share
C. Guest Wi-Fi
D. Data subject
Correct answer: A
Question 23
Which source will best show whether the user has exported data from the application?
A. Application logs
B. UPS logs
C. Parking camera
D.CRL
Correct answer: A
Question 24
Which source will best show a suspicious process on a laptop?
A.EDR logs
B.SLA
C. Risk appetite
D. MOU
Correct answer: A
Question 25
SLE = PLN 40,000, ARO = 2. BUT is:
- A. PLN 20,000
- B. PLN 40,002
- C. PLN 80,000
- D. PLN 2,000
Correct answer: C
Question 26
The company purchases cyber insurance. What is this risk strategy?
A. Transfer
B. Avoid
C. Eradication
D.Deprovisioning
Correct answer: A
Question 27
The company abandons the project because the risk is too high. What's the strategy?
A. Avoid
B.Accept
C. Transfer
D. Hashing
Correct answer: A
Question 28
Which document is a step-by-step guide?
A.Procedure
B. Policy
C.Guideline
D.CVSS
Correct answer: A
Question 29
Which element is a high-level organizing principle?
A. Policy
B.Packet capture
C.NetFlow
D. OAuth token
Correct answer: A
Question 30
The best description of Zero Trust is:
- A. Full trust in users on the company network
- B. No default trust and constant access verification
- C. Purchasing one security product only
- D. Disabling all remote connections
Correct answer: B
6. Analysis of test results
After taking the test, don't just count the points. Assign errors to domains:
- Error type Domain
- CIA, AAA, Zero Trust, cryptography 1.0 General Security Concepts
- Attacks, vulnerabilities, malware, mitigations 2.0 Threats, Vulnerabilities, and Mitigations
- Segmentation, WAF, cloud, RTO/RPO technical 3.0 Security Architecture
- IAM, hardening, SIEM, EDR, incident response 4.0 Security Operations
- Risk, governance, audit, third-party, awareness 5.0 Security Program Management and Oversight
- Interpretation thresholds
- Result Interpretation
- 27-30/30 Very good, move on to mixed and PBQ questions.
- 23-26/30 Good, fix specific weak domains.
- 18–22/30 Go back to the modules with the most bugs.
- Below 18/30 Revision of foundations and repeated modular tests required.
7. Final revision plan
Stage 1: Revision of confused concepts
Repeat especially:
- A pair of concepts What to remember
- Authentication vs Authorization Who you are vs what you can do.
- Encryption vs Hashing Keyed reversal vs one-way hash.
- SAML vs OAuth Federated SSO vs delegated authorization.
- CVE vs CVSS ID vs scoring.
- RTO vs RPO Recovery time vs data loss.
- IDS vs IPS Detects vs can block.
- SIEM vs EDR Multi-source vs endpoint correlation.
- Containment vs. Eradication. Limiting the effects vs. removing the cause.
- Policy vs Procedure Policy vs steps.
- SLA vs NDA Service level vs confidentiality.
- Stage 2: Revision by domain weights
Spend the most time on the domains with the highest importance:
- Security Operations - 28%
- Threats, Vulnerabilities, and Mitigations - 22%
- Security Program Management and Oversight - 20%
- Security Architecture - 18%
- General Security Concepts - 12%
This distribution results from the official SY0-701 domain division.
Stage 3: Scenario training
For each question, write down:
- what is the domain
- what is the problem
- what is the best answer
- why are the other answers worse
- which is easy to confuse.
- Stage 4: Time training
The exam lasts 90 minutes and has a maximum of 90 questions, so on average you have about a minute per question, but PBQs can take longer.
Strategy:
- solve questions you understand first
- don't get stuck on one question for too long
- mark questions to return
- in PBQ, first set the goal, then configure
- leave time for review.
8. Final flashcards
Front of the index card. Back of the index card
The largest domain is SY0-701 Security Operations - 28%.
RTO Recovery Time Objective - How quickly the system needs to recover.
RPO Recovery Point Objective - How much data can be lost at most.
CVE Common Vulnerabilities and Exposures - Vulnerability identifier.
CVSS Common Vulnerability Scoring System - Vulnerability severity scoring.
SIEM Security Information and Event Management - Centralization and correlation of logs.
EDR Endpoint Detection and Response - Detection and response at endpoints.
DLP Data Loss Prevention - Protection against data leakage.
FIM File Integrity Monitoring - Monitoring file changes.
NAC Network Access Control - Control of device access to the network.
RBAC Role-Based Access Control - Role-based access.
ABAC Attribute-Based Access Control - Access based on attributes and context.
SAML Security Assertion Markup Language - Often federated SSO.
OAuth Open Authorization - Delegated authorization.
PAM Privileged Access Management - Privileged access management.
MFA Multi-Factor Authentication - At least two different types of factors.
WAF Web Application Firewall - Protection of web applications.
IDS Intrusion Detection System - Detects and alerts.
IPS Intrusion Prevention System - Can block traffic.
Containment Limiting the effects of the incident.
Eradication Elimination of the cause.
Recovery Restore operation.
Lessons learned Recovery after an incident.
SLA Service-Level Agreement - Service level.
NDA Non-Disclosure Agreement - Confidentiality of information.
ALE Annualized Loss Expectancy - SLE × ARO.
Policy High-level policy.
Procedure Step-by-step instructions.
9. Final readiness checklist
Before taking the exam, you should be able to:
- Solve scenario questions without guessing based on keywords.
- Distinguish the correct answer from the best one.
- Explain all domains of SY0-701.
- Solve questions from CIA, AAA, Zero Trust and Cryptography.
- Recognize attacks, malware and mitigations.
- Design simple segmentation.
- Select WAF, IDS, IPS, SIEM, EDR, DLP, NAC and FIM.
- Describe vulnerability management.
- Distinguish between CVE, CVSS, remediation, mitigation and exception.
- Distinguish between SSO, federation, SAML and OAuth.
- Describe the incident response in the correct order.
- Select data sources for investigation.
- Explain chain of custody and legal hold.
- Calculate BUT.
- Distinguish RTO from RPO.
- Distinguish between SLA, NDA, MOU and right-to-audit.
- Distinguish between policy, standard, procedure and guideline.
- Indicate the risk strategy: accept, avoid, transfer, mitigate.
10. Final inspection of the entire course
Domain coverage
Domain Course Modules Status
1.0 General Security Concepts Module 1 Covered
2.0 Threats, Vulnerabilities, and Mitigations Module 2 Covered
3.0 Security Architecture Module 3 Covered
4.0 Security Operations Modules 4 and 5 Covered
5.0 Security Program Management and Oversight Module 6 Covered
PBQ and Exam Strategy Module 7 Covered
The biggest risks before the exam
Risk How to reduce it
Confusing similar concepts Repeat the table of confused pairs.
Solving questions too slowly. Practice timed tests.
Poor PBQ Practice diagrams, matches and order of operations.
No error analysis Assign each error to a domain.
Skipping governance Repeat Module 6 because this domain has 20%.
Security Operations too weak. Repeat Modules 4 and 5, because together they cover the largest domain.
11. Recommended repetitions
7-day repeat
Day Range
1 Module 1: Controls, CIA, AAA, Zero Trust, Cryptography
2 Module 2: attacks, vulnerabilities, malware, mitigations
3 Module 3: architecture, segmentation, data, HA/DR
4 Module 4: hardening, asset management, vulnerability management, IAM
5 Module 5: SIEM, EDR, DLP, incident response, forensics
6 Module 6: governance, risk, third-party, compliance, awareness
7 Module 7: mixed test, PBQ, error analysis
3-day repeat
Day Range
1 Domains 1–2
2 Domains 3–4
3 Domain 5 + PBQ + mixed test
Last day before the exam
Don't learn big new topics. Do:
- flashcards with confused concepts
- 20–30 mixed questions
- 2–3 PBQ text problems
- a short review of RTO/RPO, CVE/CVSS, SAML/OAuth, SIEM/EDR, policy/procedure.
- Checking the completeness of module 7
Range covered:
- question solving strategy
- exam traps
- PBQ
- final test
- analysis of results
- end cards
- readiness checklist
- final course inspection
- revision plan.